HIPAA vs. 42 CFR Part 2 (Substance Use Disorder Records)
Two overlapping federal privacy frameworks that apply to different categories of health information. HIPAA governs all protected health information. 42 CFR Part 2 adds a stricter layer of protection specifically for substance use disorder (SUD) treatment records, with tighter consent and redisclosure rules.
HIPAA
The baseline federal standard for protecting all individually identifiable health information (PHI). Permits many uses and disclosures without patient authorization, including treatment, payment, and healthcare operations (TPO).
42 CFR Part 2
A stricter federal regulation that protects records of patients receiving treatment from federally assisted substance use disorder (SUD) programs. Requires written patient consent for nearly all disclosures and prohibits redisclosure of SUD records.
Side-by-Side Comparison
| Element | HIPAA | 42 CFR Part 2 |
|---|---|---|
| Scope of Information | All individually identifiable health information (PHI) in any form: paper, oral, and electronic | Only records relating to the identity, diagnosis, prognosis, or treatment of a patient maintained in connection with a federally assisted SUD program |
| Consent for Disclosure | Permits disclosure for treatment, payment, and healthcare operations (TPO) without patient authorization. Authorization required for marketing, sale of PHI, and psychotherapy notes. | Requires specific written patient consent for virtually all disclosures, including for treatment and payment. Consent form must contain specific elements defined at 42 C.F.R. Section 2.31. |
| Redisclosure | Recipients of PHI may use and re-disclose information for purposes permitted under HIPAA without returning to the patient | Redisclosure is prohibited. Any disclosure must include a notice that the information may not be further disclosed without patient consent (Section 2.32). This is the single biggest operational difference. |
| Applies To | Covered entities (health plans, clearinghouses, providers who transmit electronically) and their business associates | Federally assisted SUD programs, including those receiving federal funding, tax-exempt status, or authorization to dispense controlled substances for SUD treatment (e.g., OTP, OBOT programs) |
| Minimum Necessary | Covered entities must limit PHI disclosed to the minimum necessary for the intended purpose (Section 164.502(b)) | No minimum necessary standard. Instead, all SUD records are protected equally. The consent-based model means you disclose what the patient consented to or nothing. |
| Enforcement Agency | Office for Civil Rights (OCR) within HHS. Civil money penalties up to $2.13M per violation category per year. | Originally SAMHSA enforcement with criminal penalties (fines up to $500 for first offense, up to $5,000 for subsequent). After the 2024 final rule, OCR now also enforces Part 2 using HIPAA enforcement mechanisms. |
| Criminal Penalties | Criminal penalties under 42 U.S.C. Section 1320d-6 for knowingly obtaining or disclosing PHI (up to $250,000 and 10 years) | Separate criminal penalty under 42 U.S.C. Section 290dd-2(f): fine of up to $500 for first offense, up to $5,000 for each subsequent offense. These are in addition to any HIPAA penalties after the 2024 alignment. |
| Use in Legal Proceedings | PHI may be disclosed in response to a court order or subpoena with appropriate protections (Section 164.512(e)) | SUD records may only be disclosed in legal proceedings with a specific court order under Section 2.61. A standard subpoena is not sufficient. The court must find good cause after balancing the need against potential harm to the patient. |
| Emergency Exception | Permitted to disclose PHI for treatment purposes in medical emergencies without authorization | Permits disclosure to medical personnel to the extent necessary to meet a bona fide medical emergency (Section 2.51). But the emergency exception is narrow and does not open the record for general treatment access after the emergency resolves. |
| Audit and Oversight | Covered entities must account for certain disclosures and maintain records for 6 years | Programs must maintain records of disclosures. After 2024 final rule, Part 2 programs must provide patients with an accounting of disclosures consistent with HIPAA requirements. |
| Key CFR References | 45 C.F.R. Part 160 (general administrative requirements), Part 164 Subpart A (general provisions), Subpart C (security), Subpart D (breach notification), Subpart E (privacy) | 42 C.F.R. Part 2, Subpart A (general provisions), Subpart B (general restrictions), Subpart C (disclosures with consent), Subpart D (disclosures without consent), Subpart E (court orders) |
2024 Final Rule: Part 2 Alignment with HIPAA
On February 16, 2024, HHS published a final rule (89 FR 12472) making significant changes to 42 CFR Part 2 to better coordinate with HIPAA. The rule took effect on April 16, 2024, with a compliance date of February 16, 2026. Key changes include:
What Changed
What Did Not Change
Practical Scenarios
Integrated Care Setting (Primary Care + SUD Treatment)
Scenario: A health system operates both a primary care clinic and a federally assisted opioid treatment program (OTP). A patient is seen in both settings. The primary care physician wants to view the patient's SUD treatment records to coordinate medication management.
Analysis: The primary care records are governed by HIPAA. The SUD treatment records from the OTP are governed by both HIPAA and Part 2. Even within the same health system, the SUD records cannot be shared with the primary care physician without the patient's written Part 2 consent. After the 2024 final rule, the patient can sign a single consent covering future TPO disclosures, but that consent must still be obtained.
Medication-Assisted Treatment (MAT) in an Emergency Department
Scenario: A patient on buprenorphine for opioid use disorder arrives at the ED after a car accident. The ED physician needs to know the patient's current medications to avoid dangerous interactions.
Analysis: The medical emergency exception (Section 2.51) permits disclosure of Part 2 records to medical personnel to the extent necessary to meet the immediate medical emergency. The ED physician can receive medication information needed for emergency treatment. However, once the emergency resolves, the exception no longer applies. The ED cannot retain the SUD records in the patient's general chart without consent.
Health Plan Requesting SUD Records for Claims Processing
Scenario: A health insurance plan requests a patient's SUD treatment records from an OTP to process a claim for reimbursement.
Analysis: Under HIPAA alone, a covered entity may disclose PHI to a health plan for payment without patient authorization. Under Part 2, patient consent is required even for payment disclosures. The OTP must have the patient's written Part 2 consent before releasing records to the health plan. The 2024 final rule allows a single consent form covering TPO, but the patient must still sign it.
Law Enforcement Subpoena for SUD Records
Scenario: A prosecutor issues a subpoena for a patient's SUD treatment records as part of a criminal investigation.
Analysis: A standard subpoena is not sufficient for Part 2 records, even though HIPAA permits disclosures in response to a court order or subpoena with certain protections. Part 2 requires a court order under Section 2.61, where the court must hold a hearing and find good cause by balancing the public interest against the potential harm to the patient, the physician-patient relationship, and the effectiveness of the treatment program. The patient and program must be given notice and opportunity to respond.
Common Points of Confusion
'We're HIPAA compliant, so we're covered for SUD records too'
Reality: HIPAA compliance alone does not satisfy Part 2 requirements. Part 2 imposes additional consent, redisclosure, and court order restrictions that go beyond HIPAA. An organization treating SUD patients through a federally assisted program must comply with both frameworks simultaneously. The stricter rule applies when they conflict.
'The 2024 rule merged Part 2 into HIPAA'
Reality: The 2024 final rule aligned certain Part 2 provisions with HIPAA (breach notification, patient rights, enforcement), but Part 2 remains a separate regulation with its own consent requirements, redisclosure prohibition, and court order provisions. It was not absorbed into HIPAA.
'Part 2 only applies to rehab centers'
Reality: Part 2 applies to any federally assisted program that provides SUD diagnosis, treatment, or referral for treatment. This includes programs receiving any federal funding, operating under a DEA registration for prescribing controlled substances for SUD treatment (including OTPs and office-based opioid treatment), or that are tax-exempt. Many hospitals, community health centers, and even some private practices trigger Part 2 coverage.
'We can segment SUD records in our EHR and that solves it'
Reality: EHR segmentation is a necessary operational step, but it is not sufficient. You still need valid Part 2 consent before disclosing segmented SUD data. You must attach the required redisclosure notice to any permitted disclosure. And your system must be able to track and account for all disclosures of Part 2 data separately. Segmentation without the consent and tracking processes is incomplete compliance.